Troldesh

Troldesh, also know as Encoder.858 is ransomware belonging to the Shade ransomware family. It was created in 2014. The malware encrypts files on the victim’s machine and demands a ransom for the data to be restored.

  • Type
    Ransomware
  • Origin
    Unknown
  • First seen
    1 January, 2014
  • Last seen
    21 November, 2019
Also known as
Encoder.858
Global rank
14
Week rank
8
Month rank
13
IOCs
13

What is Troldesh?

Troldesh, also know as Encoder.858 is ransomware belonging to the Shade ransomware family. It was created in 2014. The malware encrypts files on the victim’s machine and demands a ransom for the data to be restored.

Attempting to get as much information as possible the malware also scans the target PC for banking files or banking programs, in an effort to squeeze every last penny.

General description of Troldesh

Attacking Windows users mainly in Russia, Ukraine, and Germany, Troldesh is one of the three most commonly used encryption software in Russia.

In addition to this behavior, Troldesh often comes in conjunction with two particular malware samples, namely Mexar, and Teamspy, which allows attackers to control the victim's PC remotely and gives the virus the ability to install other malware on the infecting PC.

In fact, unlike most other ransomware, this virus does not stop executing after encrypting the victim’s files but instead starts an infinite loop where it requests URLs of other malicious programs from the command server, downloading and installing them on a contaminated machine. This means that most victims contaminated with Troldesh, in fact, may end up with a whole host of infections on their PC.

Even though the malware itself has not evolved a lot throughout its lifespan, the method which attackers use to demand the ransom has changed. The first malware samples used to provide an email address at which the victim could contact the hackers and negotiate the payment, whereas in newer campaigns ransom node demands victims to use the Tor browser in order to navigate to a payment page that is located on the Dark Web.

Being a part of the Shade family, Trodlesh shares several familiarities with related malware. As such, all members of the family are written in C++ and utilize CTL. Another shared feature is a static link with a Tor client. Every particular malware sample also has a hardcoded URL of the command server. Malicious programs of this family are also known to exhibit similar or identical behavior. As such, they create 10 identical ransom notes in two languages – Russian and English and name them README1.txt or README10.txt.

Troldesh malware analysis

A video simulation recorded on ANY.RUN allows us to examine the lifecycle of the Troldesh malware in a lot of detail.

process graph of a troldesh ransomware execution Figure 1: Process graph generated by ANY.RUN helps us visualize the life cycle of the virus

Troldesh execution process

Troldesh is spread in the form of a script file, either Javascript or JScript. Usually, these files are packed in an archive file, that is sometimes protected with a password. In the simulation performed on ANY.RUN, after a script file was unpacked and launched, it installed an executable file from the internet. It should be noted, that in the case of Troldesh, executable files normally have "not suspicious" extensions along the likes of .jpg. After being downloaded, the files are renamed and executed.

As shown in the ANY.RUN simulation, after running, the file immediately began performing malicious activity, namely: encrypting files, stealing personal data, deleting shadow copies and changing autorun values in the registry. Files encrypted by the latest versions of Troldesh are known to have .crypted000007 extension which was also the case in our simulation. Lastly, after encryption was completed the malicious executable file dropped ransomware instructions on the desktop.

process tree of a troldesh ransomware execution Figure 2: Process tree of a Troldesh ransomware execution

How to avoid infection by Troldesh

Since Troldesh is commonly distributed using malspam campaigns that mimic real company newsletters, a good way of staying safe is thoroughly checking for the authenticity of emails before downloading any attachments. If necessary, one can get in touch with a company who is the presumable author of the newsletter and verify that they have, in fact, sent the email.

Once infected, Troldesh installs several secondary malware samples on the victim’s PC, thus after Troldesh itself is cleansed from the PC, it is important to conduct a global system scan and make sure that one’s machine is not swarming with other viruses as well.

Distribution of Troldesh

Troldesh is known to utilize two main attack vectors – email spam and exploit kits. Malspam campaigns usually mimic legitimate information newsletters from real Russian companies, including banks and large supermarket chains. The emails themselves contain an archive file in which another script file is included.

Upon unpacking the archive and clicking on the file, a malicious loader is installed. It in turn downloads and installs the main payload – Troldesh itself. The loader is known to be stored on legitimate but compromised Wordpress websites where it is hidden as an image file.

Troldesh is also known to utilize Axpergle and Nuclear exploit kits, and these attacks are, arguably, even more dangerous than email spam as they don’t require active actions from the user for contamination process to begin. Instead, upon visiting a compromised URL, which can be a website hosted by the attackers or a legitimate website that has been hacked, the malware utilizes a vulnerability either in the browser itself or in one of the browser plugins, successfully penetrating into the users PC and starting the execution automatically. Thus, victims can get infected without ever realizing the danger.

Communication with C&C

Address information of C&C servers is embedded in the body of each malware sample. Servers themselves are hosted on the dark web and communication is established with the use of a Tor client.

Once installed on a victim's PC, the malware requests a public key value from the server to encrypt the victim’s files. Should the connection attempt fail, the virus uses one of one hundred private key values stored in its memory.

How to detect Troldesh using ANY.RUN?

Since Troldesh ransomware writes into registry analysts can detect it by looking at registry keys. Choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a value "906D0F2E2F604F839E04" with the name "xi" into the key HKLM\SOFTWARE\System32\Configuration it's Troldesh.

Registry changes created by Troldesh Figure 3: Registry changes created by Troldesh

Conclusion

Troldesh is an extremely dangerous ransomware that is able to contaminate victims who simply end up browsing to the wrong place at the wrong time, ending up on a website hacked by the attackers. Unlike much other ransomware that simply demands money in exchange for user’s encrypted data, Troldesh doesn’t stop there and goes the extra mile to spread other dangerous malware samples on a victim’s PC.

Utilizing analysis services like ANY.RUN is a great way to examine the virus from a safe environment and develop a sufficient defense strategy.

IOCs

IP addresses
104.16.154.36
104.16.155.36
66.171.248.178
Hashes
8309b896b0f7b895e84ac2ad491be11870e20bd101bf8e4b0dc1b8adc85b8530
5892132ecc04f842a737f31c0ecc31d47e309b4152e657f0f0a7b3fcbc38e1f7
a8105a507cda24d05f6a7488e72ac7f8169ef1b1626fdd479630ecfe5141a375
fed9f005da4567157459bba0400cc031384af459f3c8e5c62eefa0e7697a5e4b
1dcf33ce009b879ce5d5197904151dc32112476f84e50f808bf55e8c9ea2130d
c1e09920963f917868c71c7043e6f1cf1c295d75da4779b01beeb5c597778592
ea945517814179d5438e9e9373e9d708b2368f8b96a662aa4187bdd95796d9ca
891b63bcf2bee01dfdfbe64b8e7c8b0b575e0e8dcfd8c81b7ae59985cf2dc1cf
6556303d76c57a172c38ce49630acbceb6b5fb9f033a9ff0c3d1ad5668269c32
5eb87754da1ef09d5f8f678f967cf49ec54430e0d2f019d00425d06c180008de
8f0533788515541e7ef6bdc8e65ead0202398b52470feb6837ca29411ea70061
f10075641d9e8b69fe0935bc0682a7589d7fa22d7aa39bacfb463fbbdca974ba
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
36eea12f5b2fcbe04db2eea464c2b83ff878b26e6b8442f29404e9dfb9dc37ff
9840b689ccd6a20ac5dec695feef7908c40a7d6352b774b8f384b3123c5420d2
8d44ab7fa0b3327846e6e747d1ac9f972d8785d43d81eb86fb02255702ca17f8
104d9d472137c2d56fb53bdcf8069e4ace6059b2a00a0f0168ccfe6bbc37006b
cb229ca0114835dd255b1069e9995581217ac862347fa81f8c6bd230bb3edcc2
6bb843dba2b162e8424f92bd76885503731ee5bd2d22d4ba3e6cb289d5fb3b3f
5718526df265a23af9a1209cc924f79ec386e893fe0d0e139e3a280e692a1576
Domains
majul.com
e8960.b.akamaiedge.net
isns.net
elx01.knas.systems
qxq.ddns.net
www.whatismyipaddress.com
bb-sandonato.com
www.whatsmyip.net
hunterdekaron.net
www.planiligue.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More